Display name impersonation using recipient SLD

The recipient domain's SLD is used in the sender's display name in order to impersonate the organization.

Sublime rule (View on GitHub)

 1name: "Display name impersonation using recipient SLD"
 2description: |
 3  The recipient domain's SLD is used in the sender's display name
 4  in order to impersonate the organization.   
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and (
10    // recipient SLD is being impersonated in the display name
11    (
12      // these are usually targeted with just 1 recipient,
13      // but sometimes they CC themselves or have a blank CC
14      length(recipients.to) + length(recipients.cc) + length(recipients.bcc) <= 2
15      and any(recipients.to,
16              // ensure that we're checking the org SLD
17              .email.domain.sld in $org_slds
18              and strings.icontains(sender.display_name, .email.domain.sld)
19      )
20    )
21    or (
22      // accounts for BCC'd messages where the recipients are empty
23      // if BCC, sometimes the recipient will be the attacker's email
24      length(recipients.to) + length(recipients.cc) + length(recipients.bcc) <= 2
25      and strings.icontains(sender.display_name, mailbox.email.domain.sld)
26    )
27  )
28
29  and (
30      // at least 1 link or non-image attachment
31      (
32        length(body.links) > 0
33        // these attacks all use compromosed senders, so we look for a domain
34        // that doesn't match the sender's domain to weed out legit messages
35        and any(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
36      )
37      or length(filter(attachments, .file_type not in $file_types_images)) > 0
38  )
39
40  and not (
41    strings.contains(sender.display_name, "on behalf of")
42    and sender.email.domain.root_domain == "microsoftonline.com"
43  )
44
45  and all(recipients.to, .email.email != sender.email.email and (.email.domain.valid or strings.icontains(.display_name, "undisclosed")))
46
47  // negate org domain senders, which can often be misconfigured and fail
48  // authentication, causing them to be type.inbound instead of type.internal.
49  // this is fine because we should catch spoofs in other ways.
50  // also, we use root_domain here to account for subdomains used by internal tools that aren't connected to the tenant.
51  // this should also be safe because domains like onmicrosoft[.]com are tracked as FQDNs in $org_domains, so they won't match
52  and sender.email.domain.root_domain not in $org_domains
53
54  // negate highly trusted sender domains unless they fail DMARC authentication
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and (
59        any(distinct(headers.hops, .authentication_results.dmarc is not null),
60            strings.ilike(.authentication_results.dmarc, "*fail")
61        )
62      )
63    )
64    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
65  )
66  and (
67    (
68      not profile.by_sender().solicited
69    )
70    or (
71      profile.by_sender().any_messages_malicious_or_spam
72      and not profile.by_sender().any_false_positives
73    )
74  )
75  and not profile.by_sender().any_false_positives  
76attack_types:
77  - "Credential Phishing"
78tactics_and_techniques:
79  - "Social engineering"
80detection_methods:
81  - "Header analysis"
82  - "Sender analysis"
83id: "81a8ed12-0e26-5998-90ae-03334f358704"
to-top